7 Replies Latest reply on Aug 7, 2015 12:34 PM by rbkinsey

    McAfee ePO and Splunk

    ze.mysterious

      Hello,

       

      Is there a way to generate ePO logs in form of syslogs so as to import them directly to Splunk?

       

      Also,

      Can you please share a way to connect ePO and Splunk?

       

      Thanking you in advance.

      Regards,

      Azhar

        • 1. Re: McAfee ePO and Splunk
          frank_enser

          Hi,

           

          there is a Splunk Add-on which gets its data directly from the ePO database: Splunk Add-on for McAfee

           

          Regards,

          Frank

          • 2. Re: McAfee ePO and Splunk
            rbkinsey

            Under the Registered Servers (Menu | Configuration | Registered Servers) make sure you add the Splunk server as an SNMP server.  You have v1 - v3 options, otherwise it's a firehose and you have to use the Splunk add-on to parse the logs how you want them in Splunk.

             

            Make sure your firewall team allows 161 and 162 from ePO to Splunk and back.  Alternatively you may use 10161 / 10162 (SSNMP) or any different ports you use.

            • 3. Re: McAfee ePO and Splunk
              ze.mysterious

              Hello,

              Thank u both for ur help... however can you please share the steps for both methods?

               

              Thank u

              Azhar

              • 4. Re: McAfee ePO and Splunk
                frank_enser

                Hello,

                 

                you can find the complete documentation (with step-by-step installation guide) here.

                 

                Regards,

                Frank

                • 5. Re: McAfee ePO and Splunk
                  ze.mysterious

                  thank u

                  • 6. Re: McAfee ePO and Splunk
                    ze.mysterious

                    Rbkinsey,

                     

                    Can  you please describe the steps for your mentionned solutions using Registered Servers?

                    • 7. Re: McAfee ePO and Splunk
                      rbkinsey

                      From the ePO console select Menu > Configuration > Registered Servers.  Under the Registered Servers area you will add a New server.  Identify it as an SNMP server, give the correct connection information (IP / hostname) and any other configuration you need.  You only have the v1, v2c and v3 options available and there is no adjustment of the SNMP data sent.  If you choose SNMP v3 you will need to provide additional security details.  Identify your Splunk server as the SNMP server and then apply the Splunk add-on as previously described.

                       

                      You can also configure Automatic Responses to send SNMP Trap data as part of your sub-actions.

                       

                      Taken from the ePO 5.3 Product Guide, p.86

                       

                      Task

                      1 Click Menu | Configuration | Registered Servers, then click New Server.

                      2 From the Server Type menu on the Description page, select SNMP Server, provide the name and any

                      additional information about the server, then click Next.

                      3 From the URL drop-down list, select one of these types of server address, then enter the address:

                      DNS Name — Specifies the DNS name of the registered server.

                      IPv4 — Specifies the IPv4 address of the registered server.

                      IPv6 — Specifies the DNS name of the registered server which has an IPv6 address.

                      4 Select the SNMP version that your server uses:

                      • If you select SNMPv1 or SNMPv2c as the SNMP server version, type the community string of the

                      server under Security.

                      • If you select SNMPv3, provide the SNMPv3 Security details.

                      5 Click Send Test Trap to test your configuration.

                      6 Click Save.